The current practice
Data privacy regulation protects the rights of individuals in relation to the collection, use and disclosure of their personal data. Businesses’ approach to data privacy law compliance has, to date, focused on drafting and implementing privacy policies and user terms that adequately describe the types and uses of personal data captured and obtain the individuals’ consent for these. Generally the privacy policies are prepared as an after-thought to planning the data collection process and simply document the procedures already in place. Individuals are often required to consent to all the described uses of their personal data or are otherwise prevented from receiving the services or using the application in question.
Legal requirements for a new approach
Proposed changes to the EU data protection legislation, however, will require businesses to take on board an alternative approach to data privacy law compliance of privacy by design. This requires businesses to embed privacy standards and data subject controls in the design blueprint of their systems and applications. Privacy requirements are modelled in the analysis phase of the system’s design and form an integral part of the system, rather than being bolted on as an after-thought. Systems engineers plan in advance the privacy functions, such as pseudonymisation, anonymisation, randomization, data segregation, automatic deletion, that will be deployed at the various stages of the systems’ management of the data.
Advantages of privacy by design
The value of privacy by design is increasingly recognized. The 36th International Conference of Data Protection and Privacy Commissioners last month passed a resolution that called upon all parties to develop and use big data technologies according to the principles of privacy by design. Potential cost benefits may also be obtained from the privacy by design approach, through minimalizing and preventing privacy risks and data breaches from the outset. From a reputational perspective also, support of incorporating strong privacy protection into systems’ specifications is likely to foster both public and regulators’ confidence in the business’ operations and offerings.
How to implement privacy by design
The privacy by design approach involves educating developers and design teams about the applicable data privacy regulation so that the privacy requirements for a particular system are understood and the relevant privacy solutions can be embedded into the system’s design. Privacy protection and data minimization should be considered as the system's default settings so that individuals are not required to take any action in order to activate the applicable privacy controls. The business’ legal, design and operations teams collaborate to discuss the legal requirements, technical specifications and operational functions for the system at the planning stage and together decide upon the most appropriate solutions to incorporate into the design of the system.
So why the sudden push for a new approach to data privacy compliance? With the increasing prominence of data collection and analysis in the ‘big data’ age, government authorities around the world have renewed their focus on standards of privacy protection for personal data. Often led by the consumer rights agenda, lawmakers in Europe, Asia and the US have been debating and developing greater regulation of data privacy in the last 12 months.
The current draft of the EU General Data Protection Regulation expressly refers to businesses implementing privacy by design in the measures to be taken to meet the data protection requirements. Non-compliance with the EU General Data Protection Regulation, if enacted in its current draft form, could lead to fines of up to EUR100m or 5% of annual worldwide turnover (whichever is greater). Enforcement by the authorities of the privacy standards has also been more systematic and aggressive, and increasingly, privacy authorities are proactively undertaking investigations and campaigns to monitor compliance. Businesses should look to anticipate forthcoming developments in the privacy laws so that they can incorporate privacy functions into their systems’ design to ensure compliance with minimal disruption to their operations after the new legal standards come into effect.